Security News > 2022 > January > Infosec chap: I found a way to hijack your web accounts, turn on your webcam from Safari – and Apple gave me $100k

A security bod scored a $100,500 bug bounty from Apple after discovering a vulnerability in Safari on macOS that could have been exploited by a malicious website to potentially access victims' logged-in online accounts - and even their webcams.

Ryan Pickren, last seen on The Register after scooping $75k from Cupertino's coffers for finding an earlier webcam-snooping flaw, said the universal cross-site scripting bug in Safari could have been abused by a webpage to hijack a web account the user is logged into, which would be bad. It was also possible to activate the webcam.

If the user accepts and downloads the document, whoever created the shared document can later change the content of the file on their Mac, and ShareBear will automatically change the file on the victim's machine.

The owner of the file could then change it to a webarchive file, including the type, which is sync'd to the victim's machine, and launch it via a webpage visited by the victim.

Pickren focused on opening a webarchive file on the victim's machine because macOS's Gatekeeper strives to block unapproved apps from running and downloaded webarchive files from opening - and it seemed easier to bypass the webarchive restriction.

One, macOS Monterey 12.0.1 was released with ShareBear updated to just reveal downloaded files rather than launching them; and two, patching a bug designated CVE-2021-30861 in Safari's engine WebKit to stop quarantined files - such as downloaded webarchives - from being opened.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/01/26/apple_filesharing_exploit/